'self' xss reported in a question's moderate

Type atlassian
Reporter dblack
Modified 2018-10-11T08:48:46


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47423]. {panel}

We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com.

{quote} 1) DOM XSS

Go to https://answers.atlassian.com/ Prepare an question ,after savin it go to the question ,there is an option of "Moderate" ,click it ,there is an option to "Create bounty" select that , and in the input box which appears enter '"><iframe/onload=prompt(document.cookie);> and press ok and alert will come immediately !!


This issue would require some social engineering exploit through perhaps clickjacking and tricking a user into XSS'ing themselves on answers.atlassian.com.